{ "type": "URL", "indicator": "https://www.ukraine.com.ua", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.ukraine.com.ua", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3396477175, "indicator": "https://www.ukraine.com.ua", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "6a10b5fcbae6ff7196fadd8a", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:24.934000", "created": "2026-05-22T20:01:00.435000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b601afa660d39df59585", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:23.966000", "created": "2026-05-22T20:01:05.318000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 217, "CIDR": 63, "FileHash-MD5": 399, "FileHash-SHA1": 114, "FileHash-SHA256": 513, "URL": 605, "domain": 328, "email": 21, "hostname": 694, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 3010, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5fc8feb5a31eedfc0ec", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:59.988000", "created": "2026-05-22T20:00:59.988000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5eb25a8421d03c37021", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:43.360000", "created": "2026-05-22T20:00:43.360000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5eae1aa45c197c5f4cd", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:42.869000", "created": "2026-05-22T20:00:42.869000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9011e57040b2717c99c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:45.262000", "created": "2023-12-31T05:15:45.262000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "6590f8f3b192d56e80294c13", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "882 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f8f3b192d56e80294c13", "name": "Aig.com Pegasus attack+ https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:31.645000", "created": "2023-12-31T05:15:31.645000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653f21878bcd05f7d594ff86", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "882 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657081811cbd9a5dca05bd3d", "name": "assorted xyz sites for researching.", "description": "", "modified": "2023-12-06T14:13:21.425000", "created": "2023-12-06T14:13:21.425000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1061, "URL": 1128, "FileHash-SHA256": 24, "domain": 1983, "email": 2 }, "indicator_count": 4198, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db044432cdee91e2f5d1c", "name": "AIG Hacked or Spoofed website?", "description": "Extremely strange & disturbing report. Disruption under Cisco Umbrella hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:07:16.410000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db0487ec8c7a4c0b1ef0e", "name": "AIG Hacked or Spoofed website?", "description": "Extremely strange & disturbing report. Disruption under Cisco Umbrella hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:07:20.916000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db12d71978ca34e49e88e", "name": "Hacking stemming from malicious DGA Insurance domains under Cisco Umbrella", "description": "Extremely strange & disturbing report. A disruption at root of Cisco hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:11:09.672000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570", "defense entity fraud?" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db32c6a6193714e513695", "name": "Targeted hacking via malicious DGA insurance domains AIGcom | Host: am1mxi05.aig.com | IP: 167.230.100.44", "description": "Extremely strange & disturbing report. A disruption at root of Cisco hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago\nHard to understand.", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:19:40.692000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f02c459cc8bcaa5ebeb7a", "name": "Targeted hacking via malicious DGA insurance domains AIGcom", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T01:11:32.672000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "653db32c6a6193714e513695", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f05ff39b2dee54b89d17a", "name": "AIG Hacked or Spoofed website?", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T01:25:19.036000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653db0487ec8c7a4c0b1ef0e", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f21878bcd05f7d594ff86", "name": " AIG Hacked or Spoofed website?", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T03:22:47.684000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653db044432cdee91e2f5d1c", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622ccdabfe5537a5a8cc71e1", "name": "assorted xyz sites for researching.", "description": "", "modified": "2022-05-13T14:11:33.609000", "created": "2022-03-12T16:43:23.872000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mokomoko1", "id": "45776", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_45776/resized/80/avatar_c26be60cfd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1128, "hostname": 1061, "FileHash-SHA256": 24, "domain": 1983, "email": 2 }, "indicator_count": 4198, "is_author": false, "is_subscribing": null, "subscriber_count": 351, "modified_text": "1478 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Immortal stealer", "Raccoon stealer", "Tofsee", "Mimikatz", "Yixun", "Skynet", "Ransomware", "Nanocore", "Sibot", "Neurovt", "Hacktool.bruteforce", "Hacktool.cheatengine", "Hiddentear", "Azorult", "Nymaim", "Opencandy", "Artemis", "Maltiverse", "Ransomexx", "Gandcrab", "Chinese", "Mirai", "Trojan:win32/installcore", "Inmortal", "Trojanspy", "Hacktool", "Goldfinder", "Goldmax - s0588", "Emotet", "Domains", "Webtoolbar", "Blacknet", "Firehol", "Looquer", "Trojanx", "Ducktail" ], "industries": [], "unique_indicators": 20738 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ukraine.com.ua", "whois": "http://whois.domaintools.com/ukraine.com.ua", "domain": "ukraine.com.ua", "hostname": "www.ukraine.com.ua" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "6a10b5fcbae6ff7196fadd8a", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:24.934000", "created": "2026-05-22T20:01:00.435000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b601afa660d39df59585", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:23.966000", "created": "2026-05-22T20:01:05.318000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 217, "CIDR": 63, "FileHash-MD5": 399, "FileHash-SHA1": 114, "FileHash-SHA256": 513, "URL": 605, "domain": 328, "email": 21, "hostname": 694, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 3010, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5fc8feb5a31eedfc0ec", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:59.988000", "created": "2026-05-22T20:00:59.988000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5eb25a8421d03c37021", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:43.360000", "created": "2026-05-22T20:00:43.360000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5eae1aa45c197c5f4cd", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:42.869000", "created": "2026-05-22T20:00:42.869000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9011e57040b2717c99c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:45.262000", "created": "2023-12-31T05:15:45.262000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "6590f8f3b192d56e80294c13", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "882 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f8f3b192d56e80294c13", "name": "Aig.com Pegasus attack+ https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:31.645000", "created": "2023-12-31T05:15:31.645000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653f21878bcd05f7d594ff86", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "882 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657081811cbd9a5dca05bd3d", "name": "assorted xyz sites for researching.", "description": "", "modified": "2023-12-06T14:13:21.425000", "created": "2023-12-06T14:13:21.425000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1061, "URL": 1128, "FileHash-SHA256": 24, "domain": 1983, "email": 2 }, "indicator_count": 4198, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db044432cdee91e2f5d1c", "name": "AIG Hacked or Spoofed website?", "description": "Extremely strange & disturbing report. Disruption under Cisco Umbrella hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:07:16.410000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db0487ec8c7a4c0b1ef0e", "name": "AIG Hacked or Spoofed website?", "description": "Extremely strange & disturbing report. Disruption under Cisco Umbrella hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:07:20.916000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.ukraine.com.ua", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.ukraine.com.ua", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780207022.468907 }